You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Hjt Log Spybot Says Virtumonde, Norton Says Vundo

Spybot keeps bringing up virtumonde and asks to scan on restart but still cant fix it. Norton will pop up saying trojan.vundo and cant remove. After a restart and not connecting to the net, it will ask to connect or work offline. Pages online try to freeze up, it will load a page then say it cannot load and goes to a blank page. Also have a windows security alert in task bar saying Norton is not running, even when norton is showing up in the task bar. Occasionally A page will pop up by itself,Page is blank but says Error Detected on the top bar the wbsite (winantivirus.com/download....) I didnt want to put the whole link up,but will if you need it. The address also has references to yahoo mail and login.yahoo.mail heres the hjt log. Thanks in advance.

Thank you, I did run superantispyware that i was instructed to install a few months ago when I had a problem, it found a few things but didnt fix this problem, I'll add another hjt log if you need it. Thanks again. -Casey

Getting more popups now, Some are saying sorry page is no longer available, one had several warning messages saying (warning cannot modify header....etc) had a bunch of codes and stuff with each one. Just wanted to add that incase it would help to identify what is going on.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click OK.

Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Still having problems, it still wants to connect to the net when your not online, still have the windows security alert in the taskbar saying norton isnt turned on. My norton auto protect icon is also in the taskbar like it should be. here are the logs.

Attempting to delete C:\WINDOWS\system32\ihkmp.bak1C:\WINDOWS\system32\ihkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ihkmp.iniC:\WINDOWS\system32\ihkmp.ini Has been deleted!

Attempting to delete C:\windows\system32\vkrhdkuh.dllC:\windows\system32\vkrhdkuh.dll Has been deleted!

Performing Repairs to the registry.Done!

------------------------Deckard's System Scanner v20070819.64Run by Compaq_Owner on 2007-08-26 02:35:30Computer is in Normal Mode.--------------------------------------------------------------------------------

Event Record #/Type6316 / ErrorEvent Submitted/Written: 08/16/2007 01:43:50 AMEvent ID/Source: 11334 / MsiInstallerEvent Description:Product: Half-Life® 2 -- Error 1334. The file 'hl2.ico1' cannot be installed because the file cannot be found in cabinet file 'hl24.cab'. This could indicate a network error, an error reading from the CD-ROM, or a problem with this package.

Event Record #/Type21591 / ErrorEvent Submitted/Written: 08/24/2007 03:39:50 PMEvent ID/Source: 7001 / Service Control ManagerEvent Description:The Universal Plug and Play Device Host service depends on the SSDP Discovery Service service which failed to start because of the following error: %%1058

Event Record #/Type21589 / ErrorEvent Submitted/Written: 08/24/2007 03:33:35 PMEvent ID/Source: 7001 / Service Control ManagerEvent Description:The Universal Plug and Play Device Host service depends on the SSDP Discovery Service service which failed to start because of the following error: %%1058

-- End of Deckard's System Scanner: finished at 2007-08-26 02:39:36 ------------

Norton did a full system scan and found/deleted Trojan.ByteVerify under filename 27749188-610c3ead. Nothing appears to have changed with the system though, still have windows security alert for Norton also. Thought it might help for you to know.

If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.

Select "Add More Files?" from the menu that comes up.

This will open a new VundoFix window that says "Paste files into the boxes below:"

In that window, copy and paste the following file path in the first (top) field:C:\WINDOWS\system32\pmnlmll.dll<- (insert first file here with the full filepath like this example)

Click the 'Add Files' button.

Click the 'Close Window' button.

Click the 'Remove Vundo' button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click OK.

Turn your computer back on.

Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.

Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :C:\_OTMoveIt\MovedFiles\********_******.log(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

So in your next reply I need to see the following : the VundoFix text, the OTMoveIt results, a new DSS log, and tell me how your PC is running now and if you had any problems.

Ran all the programs, ran vundo i think 3 times, it kept finding stuff but not pmnlmll.dll so i added it and it still didnt find it. Still have the security alert and wanting to connect itself to the net when offline. Some pages will have a popup on the page for antiviruspro 2007. Here are the logs.

Attempting to delete C:\WINDOWS\system32\awtqp.dllC:\WINDOWS\system32\awtqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bfomumcl.iniC:\WINDOWS\system32\bfomumcl.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\lcmumofb.dllC:\WINDOWS\system32\lcmumofb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nwhmanto.dllC:\WINDOWS\system32\nwhmanto.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtwa.bak1C:\WINDOWS\system32\pqtwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtwa.bak2C:\WINDOWS\system32\pqtwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqtwa.iniC:\WINDOWS\system32\pqtwa.ini Has been deleted!

Performing Repairs to the registry.Done!

VundoFix V6.5.7

Checking Java version...

Scan started at 6:33:54 PM 8/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddayv.dllC:\WINDOWS\system32\pmkhi.dll

Beginning removal...

Performing Repairs to the registry.Done!

VundoFix V6.5.7

Checking Java version...

Scan started at 6:41:08 PM 8/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddayv.dllC:\WINDOWS\system32\pmkhi.dll

Beginning removal...

Performing Repairs to the registry.Done!

OTMoveit resultsC:\WINDOWS\system32\qpqss.ini2 moved successfully.C:\WINDOWS\system32\qpqss.bak2 moved successfully.C:\WINDOWS\system32\qpqss.bak1 moved successfully.C:\WINDOWS\PowerReg.dat moved successfully.File/Folder c:\program files\zango not found.

Created on 08/27/2007 18:50:18

Deckard's System Scanner v20070819.64Run by Compaq_Owner on 2007-08-27 18:51:57Computer is in Normal Mode.--------------------------------------------------------------------------------

If it says "No infected files were found", right-click the list box (white box) in the main VundoFix window.

Select "Add More Files?" from the menu that comes up.

This will open a new VundoFix window that says "Paste files into the boxes below:"

In that window, copy and paste the following file path in the first (top) field:C:\WINDOWS\system32\pmnlmll.dll<- (insert first file here with the full filepath like this example)

Click the 'Add Files' button.

Click the 'Close Window' button.

Click the 'Remove Vundo' button.

You will receive a prompt asking if you want to remove the files, click YES

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will shutdown your computer, click OK.

Turn your computer back on.

Please post the contents of C:\vundofix.txt and a new HiJackThis log in your next reply.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\pmnlmll.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.

Click the red Moveit! button.

Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Please "Copy" the results from the "Results" window (to the right) and then "Paste" them into your next reply on the forum.

Note : If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :C:\_OTMoveIt\MovedFiles\********_******.log(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

So in your next reply please post the following : the VundoFix text and the OTMoveIt results.

So far in the first couple of minutes since restarting it seems to be running better, it picked that file up this time, only thing im still noticing so far is the windows security aleart for norton. Here are the logs.

Thanks again, let me know if theres anything else you need or anything else i need to run on here.

Edit--- I opened the Norton security center and clicked the box at the bottom that says " Do not display windows security center (Recommended)" and the little warning in the tray went away. Windows was still saying Norton is reporting it is turned off, I dont have access to windows security now though to see what it is saying.

2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.

Next download AVG Anti-Spyware from HERE and save that file to your desktop.This is a 30 day trial of the program

Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.

Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.

On the main screen select the icon "Update" then select the "Update now" link.

Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.

Once in the Settings screen click on "Recommended actions" and then select "Quarantine".

Under "Reports"

Select "Automatically generate report after every scan"

Un-Select "Only if threats were found"

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:

Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".

AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.Once the scan is complete do the following:

If you have any infections you will prompted, then select "Apply all actions"

Next select the "Reports" icon at the top.

Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).

Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

So in your next reply please post the following : a new DSS log, the AVG Anti-Spyware report, and tell me how your PC is running now and if you had any problems.